CAPEC-647: Collect Data from Registries
An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.
Last updated
Overview
CAPEC-647 (Collect Data from Registries) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Gain logical access to system] An adversary must first gain logical access to the system it wants to gather registry information from,
- Obtain user account credentials and access the system
- Plant malware on the system that will give remote logical access to the adversary
- Step 2Experiment
[Determine if the permissions are correct] Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means
- Step 3Experiment
[Peruse registry for information] Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.